During 2020, major modern industrial VPN solutions have shown relevant vulnerabilities that may be exploited to illegally access OT networks and cause serious damage.
Popular VPN solutions have been exposed by cybersecurity firms as liabilities. A virtual private network enables users to send and receive data across shared and public networks as if their devices were directly connected to them. Thanks to this, VPN solutions are used to provide full access to corporate applications and resources to remote users (think of branch offices).
Thanks to the access privileges, these technologies could represent severe threats to organizations’ infrastructure. Enterprise-grade VPN solutions are currently being used in water utilities, electric utilities, and oil and gas facilities and their importance increased even further through the quarantine, with more professionals working remotely.
When we talk about vulnerable VPN, we are referring to exploitable flaws that may give malicious agents full access to ICS devices.
Fortunately, the cybersecurity community has used the findings to help with the proper patch of these vulnerabilities by the solution providers. However, for organizations that rely on OT/ICS and VPN solutions, it’s worth the effort to understand how such small flaws may lead to major problems.
VPN Solutions Recently Affected
In the first half of 2020, the cybersecurity community exposed remote code execution (RCE) vulnerabilities in highly popular VPN solutions. These products, widely used at utility facilities, were opening a big door for hackers to manipulate hardware and software through ICS devices. VPN implementations for OT/ICS are commonly deployed at the outer layer boundaries of the network, provide full access to the devices within.
The degree of access that these implementations feature has become a very serious liability for organizations. Successful exploitation of the found vulnerabilities can guarantee to malicious agents full access to the devices in the network.
In the case of the GateManager solution, it showed a vulnerability affecting the main routing instance, caused by improper handling of HTTP request headers. Malicious parties could exploit this vulnerability without authentication and the potential consequences included full access to the internal network.
Moxa EDR-G902 and EDR-G903 solutions suffered a buffer overflow bug found in the webserver. Such a bug was accessible by sending a tailored HTTP request that granted remote code execution to successful malicious agents.
Finally, the eWon VPN device and, more precisely, the eCatcher proprietary VPN client, presented a critical flaw that was exploitable through a stack-based buffer overflow. To exploit this vulnerability, it was needed to execute a successful phishing attack, luring victims into an infected website or email message. Once the malicious HTML element was in contact with the system, the external agent could take control of the device.
The Current State of Affairs
As we forcibly move towards working from home, professionals dedicated to OT/ICS at water utilities, electric utilities, and oil and gas facilities are relying on VPN implementations to securely connect to remote sites. With this, proper cybersecurity measures have become even more critical.
Another important consideration is that not only in-house professionals use such technologies to remotely access and modify devices within the ICS network but also third-party vendors that provide maintenance, updates, and troubleshooting.
All these threats have been magnified by the COVID-19 pandemic as exponentially more professionals have moved to remote work. This increases the need for high cybersecurity standards, starting with the implementation of properly-built, flawless VPN solutions.